CN102469098B - Information safety protection host machine - Google Patents

Information safety protection host machine Download PDF

Info

Publication number
CN102469098B
CN102469098B CN201010554245.0A CN201010554245A CN102469098B CN 102469098 B CN102469098 B CN 102469098B CN 201010554245 A CN201010554245 A CN 201010554245A CN 102469098 B CN102469098 B CN 102469098B
Authority
CN
China
Prior art keywords
information
operating system
network
grouping
virtual machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201010554245.0A
Other languages
Chinese (zh)
Other versions
CN102469098A (en
Inventor
林志鸿
田谨维
王声浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute for Information Industry
Original Assignee
Institute for Information Industry
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute for Information Industry filed Critical Institute for Information Industry
Priority to CN201010554245.0A priority Critical patent/CN102469098B/en
Publication of CN102469098A publication Critical patent/CN102469098A/en
Application granted granted Critical
Publication of CN102469098B publication Critical patent/CN102469098B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The invention relates an information safety protection host machine, which comprises a network interface and a virtual machine keeper device. The network interface is connected to a computer network and is used for receiving a first packet. The virtual machine keeper device is used for running a first operating system, wherein the fist operating system provides a fist network service. The virtual machine keeper device is also used for providing first operating system information of the first operating system and first network service information of the first network service in real time so as to judge the safety of the first packet according to the first operating system information or the first network service information.

Description

Information safety protection host machine
Technical field
The invention relates to a kind of information safety protection host machine.Particularly, the network service that one or more operating system that information safety protection host machine of the present invention can move according to itself and each operating system provide, the proof rule set of corresponding different operating system or its network service providing is provided in a plurality of proof rules, the grouping receiving with checking, avoids the grouping relevant with different operating system all to adopt all identical proof rule checking by this.
Background technology
Because of the fast development of world-wide web, increasing enterprise provides the network service of various diversification by setting up main frame, such as: web service, E-mail service and file transfer protocol (FTP) service etc.Yet, though world-wide web provides the facility of people's transmission of information, also allow person who is ambitious or tenacious of purpose steal or revise by the mode of invasion main frame the data that are stored in main frame.Therefore, be the safety of data in protected host, large multiple enterprises is all main frame one intruding detection system (Intrusion Detection System, IDS) is installed in recent years, to detect various intrusion behaviors by intruding detection system.
Traditional intruding detection system loads the content of too much proof rule checking grouping for the grouping receiving, even if this grouping is for running on operating system on main frame not with the possibility of threat, loads too whole proof rules and verify.Yet, load too much proof rule and can expend a large amount of system effectivenesss, and also easily produce the situation of erroneous judgement.
In addition, the main frame due to current partly enterprise adopts virtual machine keeper (virtual machine monitor; VMM) a plurality of different operating systems of device operation, if therefore virtual machine keeper also moves the grouping of traditional intruding detection system to verify that each is relevant to different operating system, will certainly more because load too much proof rule, cause detecting usefulness not high, and expend the embarrassed look of too much system effectiveness.
In sum, how to improve the detection usefulness of intruding detection system, particularly, in the situation that main frame adopts virtual machine administrator device to move a plurality of different operating system, this is the problem that industry still needs effort to solve now.
Summary of the invention
An object of the present invention is to provide an information safety protection host machine.This information safety protection host machine moves one or more operating system so that one or more network services to be provided.This information safety protection host machine is according to moved operating system and the service providing thereof, and judgement receives the fail safe with each operating system associated packets.
For reaching above-mentioned purpose, the present invention discloses a kind of information safety protection host machine, a network interface and virtual machine administrator device.This network interface is connected to a computer network, and in order to receive one first grouping.This virtual machine administrator device is connected to this network interface, and in order to move one first operating system.This first operating system provides a first network service, and this virtual machine administrator device is also in order to provide in real time one first operation system information of this first operating system and a first network information on services of this first network service.This first network information on services comprises a first service PORT COM number (port number).When this network interface receives this first grouping by a PORT COM, this virtual machine administrator device is also according to the first operation system information and this first network information on services, judge that this first grouping is relevant to this first operating system, and the PORT COM number of this PORT COM is not equal to this first service PORT COM number, with this first grouping of filtering.
Another object of the present invention is to provide an information safety protection host machine.This information safety protection host machine moves one or more operating system, so that one or more network services to be provided.This information safety protection host machine also moves a safety system, so that a plurality of proof rules to be provided.The operating system that this safety system is moved according to this information safety protection host machine and the service providing thereof, in a plurality of proof rules, screening meets the proof rule set of different operating system.Thus, when this information safety protection host machine receives with each operating system associated packets, this safety system adopts the proof rule set analysis packet content after screening, and to avoid using whole proof rule checking groupings, and then lifting detects usefulness.
For reaching above-mentioned purpose, the present invention more discloses a kind of information safety protection host machine, and it comprises a network interface and a virtual machine administrator device.This network interface is connected to a computer network, and in order to receive one first grouping.This virtual machine administrator device, is connected to this network interface, and in order to move one first operating system and a safety system.This first operating system provides a first network service.This safety system is in order to provide a plurality of proof rules.This virtual machine administrator device also provides one first operation system information of this first operating system and a first network information on services of this first network service to this safety system in real time, so that this safety system is according to this first operation system information and this first network information on services, from these proof rule screening one first proof rule set, and judge that this first grouping is relevant to this first operating system, to apply mechanically this first proof rule set, verify this first grouping.
Another object of the present invention is to provide an information safety protection host machine.This information safety protection host machine moves one or more operating system, so that one or more network services to be provided.This information safety protection host machine also moves a safety system, so that a plurality of proof rules to be provided, and receives the grouping relevant to each operating system according to these proof rule checkings.When a grouping cannot be passed through a rule of these proof rules, this information safety protection host machine also judges that whether this grouping is relevant to an operating system, and whether this rule is relevant to this operating system, to determine whether this grouping can threaten to this operating system.Thus, by above-mentioned mechanism, can avoid using this safety system according to these proof rules, while verifying this grouping, produce the situation of erroneous judgement.
For reaching above-mentioned purpose, the present invention also discloses a kind of information safety protection host machine, and it comprises a network interface and a virtual machine administrator device.This network interface is connected to a computer network and divides into groups in order to receive one first.This virtual machine administrator device is connected to this network interface, and in order to move one first operating system and a safety system.This first operating system provides a first network service.This virtual machine administrator device is also in order to provide in real time one first operation system information of this first operating system and a first network information on services of this first network service.This safety system, in order to a plurality of proof rules to be provided, with according to these proof rules, is verified this first grouping.When this first grouping cannot be passed through a rule of these proof rules, this virtual machine administrator device is also according to the first operation system information or this first network information on services, judge that this first grouping is relevant to this first operating system and this rule is uncorrelated with this first operating system, to avoid using this safety system according to these proof rules, while verifying this first grouping, produce a false judgment.
Useful technique effect of the present invention is: the present invention obtains the information of moved a plurality of different operating systems by the virtual machine administrator device of main frame from memory own, and make virtual machine administrator device itself according to different operating system or its network service providing, to filter the grouping that main frame receives by these information.In addition,, by these information, also can make the safety system of virtual machine administrator device operation filter out respectively the proof rule set that different operating system or its network service providing are provided in original a large amount of proof rule.Thus, can use the proof rule set checking grouping filtering out according to the corresponding operating system of grouping, to avoid using whole proof rule checking groupings.In addition, when safety system is divided into groups according to whole proof rule checkings, by these information, in the time of also can avoiding checking grouping, produce a false judgment.Accordingly, information safety protection host machine of the present invention can promote detection usefulness effectively, and reduces the situation that produces erroneous judgement.
After the execution mode of consulting accompanying drawing and describing subsequently, affiliated technical field has knows that the knowledgeable just can understand other object of the present invention, advantage and technological means of the present invention and implement aspect conventionally.
Accompanying drawing explanation
Fig. 1 is the schematic diagram of the information safety protection host machine 1 of first embodiment of the invention;
Fig. 2 is the schematic diagram of the information safety protection host machine 1 of second embodiment of the invention;
Fig. 3 is the schematic diagram of the information safety protection host machine 1 in third embodiment of the invention and the 5th embodiment; And
Fig. 4 is the schematic diagram of the information safety protection host machine 1 in fourth embodiment of the invention and the 6th embodiment.
Embodiment
The invention provides an information safety protection host machine.Information safety protection host machine of the present invention moves one or more operating system.Each operating system provides one or more network services.When receiving the grouping relevant to an operating system, an information of network service of the network service that information safety protection host machine provides according to an operation system information of this operating system and this operating system, the fail safe of judgement grouping.Following embodiment is in order to illustrate technology contents of the present invention, not in order to limit the scope of the invention.It should be noted that, in following examples and accompanying drawing, element unrelated to the invention has omitted and has not illustrated, and in accompanying drawing, each interelement size relationship is only for asking easy understanding, non-in order to limit actual ratio.
One information safety protection host machine 1 of first embodiment of the invention is as shown in Figure 1.Information safety protection host machine 1 comprises a network interface 11 and a virtual machine keeper (virtual machine monitor; VMM) device 13.Information safety protection host machine 1 is connected to a computer network 2 by network interface 11 with a wired mode or a wireless mode.Computer network 2 can be any combination of a private network, a global network, a world-wide web (Internet) and other network.
Virtual machine administrator device 13 has a memory 13a, and in order to move one first operating system 131.The first operating system 131 provides a first network service, for example: comprise a webpage (Web Page) service, a file transfer protocol (FTP) (File Transfer Protocol; FTP), any combination of an E-mail service and other network service.It should be noted that, the first operating system 131 can be a microsoft operation system, class Unix (Unix-like) operating system or other operating system that can provide services on the Internet, and virtual machine administrator device 13 can by general main frame hardware (such as: by central processing unit, memory, hard disk, motherboard etc.) institute forms, or other has the device that simultaneously moves one or more operating system abilities.
In the present embodiment, when virtual machine administrator device 13 operation the first operating system 131, because virtual machine administrator device 13 operation the first operating systems 131 can be used memory 13a, therefore memory 13a will store the information relevant to the first operating system 131, for example: the first network information on services of the first operation system information of the first operating system 131 and the first network providing service.The first operation system information can be in order to represent that this first operating system is a microsoft operation system, a class Unix operating system or other operating system, and first network information on services can be in order to represent that this first service may comprise any combination of a web service, a file transfer protocol (FTP) service, an E-mail service or other network service.
For example, using microsoft operation system as explanation, microsoft operation system is when operation, and its core (Kernel) can be set up a program environment block (Process Environment Block; PEB) data structure is stored in memory, to deposit relevant parameter.OSMajorVersion in PEB data structure and OSMinorVersion field are deposited and are represented microsoft operation system Release parameter, for example: when the parameter of OSMajorVersion field is the parameter of " 7 " and OSMinorVersion field during for " 0 ", represent that microsoft operation system is Windows 7; When the parameter of OSMajorVersion field is the parameter of " 6 " and OSMinorVersion field during for " 0 ", represent that microsoft operation system is Windows Vista or Server 2008; When the parameter of OSMajorVersion field is the parameter of " 5 " and OSMinorVersion field during for " 2 ", represent that microsoft operation system is Windows Server2003; And when the parameter of OSMajorVersion field be the parameter of " 5 " and OSMinorVersion field during for " 1 ", represent that microsoft operation system is Windows XP.Because PEB data structure belongs to prior art content, in affiliated technical field, have and conventionally know that the knowledgeable can learn the detail content of PEB data structure easily according to prior art document, therefore no longer repeated at this.
In addition, microsoft operation system is when operation, and its core also can be set up an EPROCESS data structure and a MIB_TCPROW_OWNER_MODULE data structure, and is stored in memory.EPROCESS data structure records current executory program (comprising the program that first network service is provided), and the relevant information of the current executory program of MIB_TCPROW_OWNER_MODULE data structure records.Accordingly, from the desirable calling program list of EPROCESS data structure (Process List), then according to (the Process Identification of the program identification code in program listing; PID) from MIB_TCPROW_OWNER_MODULE data structure, obtain the relevant information of executory program.In addition, (new another network service of opening when the first operating system 131 is provided by the first network service providing, or while closing an existing network service), the first operating system just can produce one minute page fault (Page Fault) message automatically, now virtual machine administrator device 13 can be in response to paging error messages, obtain new unlatching or close the relevent information of network service, to upgrade first network information on services.
According to above-mentioned illustrating, virtual machine administrator device 13 from its memory 13a, read the first operation system information of the first operating system 131 and the first network information on services of the first network service that provides.Should be noted, though the present invention only with microsoft operation system as an example, but have in affiliated technical field, conventionally know that the knowledgeable can be provided according to the technical specification of each operating system by the information of network service of the network service of how obtaining operation system information in memory and providing easily, therefore operating system and provide the kind of service not in order to limit the scope of the invention, and at this in detail practice of other operating system is not described in detail.
Subsequently, when network interface 11 receives the first grouping 102, the first service PORT COM number that virtual machine administrator device 13 can be used according to the first network service of recording in first network information on services (for example: 807), the first grouping 102 is filtered.For example, when network interface 11 by a PORT COM (for example: while 544) receiving the first grouping 102, virtual machine administrator device 13 can be according to judgement the first grouping 102 relevant to the first operating system 131 (the destination of the first grouping 102 transmission be the first operating system 131), and the PORT COM that receives the first grouping 102 is not equal to first service PORT COM number, with filtering the first grouping 102.
The information safety protection host machine 1 of second embodiment of the invention is as shown in Figure 2.Be different from the first embodiment, in a second embodiment, network interface 11 also all receives the second grouping 104 from computer network 2, and the virtual machine administrator device 13 of information safety protection host machine 1 is also in order to move the second operating system 133.The second operating system 133 also provides a second network service, for example: any combination that comprises a web service, a file transfer protocol (FTP), an E-mail service and other network service.Similarly, the second operating system 133 can be a microsoft operation system, a class Unix operating system or other operating system that can provide services on the Internet.
When virtual machine administrator device 13 operation the second operating system 133, because virtual machine administrator device 13 operation the second operating systems 133 also can be used memory 13a, therefore memory 13a will store the information relevant to the second operating system 133, for example: the second network information on services of the second operation system information of the second operating system 133 and the second network providing service.The second operation system information can be in order to represent that the second operating system 133 is a microsoft operation system, a class Unix operating system or other operating system, and second network information on services can be in order to represent that this second service may comprise any combination of a web service, a file transfer protocol (FTP), an E-mail service or other network service.
When network interface 11 receives the second grouping 104, the second service PORT COM number that virtual machine administrator device 13 can be used according to the second network service of recording in second network information on services (for example: 707), the second grouping 104 is filtered.For example, when network interface 11 by a PORT COM (for example: while 474) receiving the second grouping 104, virtual machine administrator device 13 can be according to judgement the second grouping 104 relevant to the second operating system 133 (the destination of the second grouping 104 transmission be the second operating system 131), and the PORT COM that receives the second grouping 104 is not equal to second service PORT COM number, with filtering the second grouping 104.
The information safety protection host machine 1 of third embodiment of the invention is as shown in Figure 3.Be different from the first embodiment, in the 3rd embodiment, the virtual machine administrator device 13 of information safety protection host machine 1 is also in order to move a safety system 135, and virtual machine administrator device 13, without the first service PORT COM number using according to the first network service of recording in first network information on services, filters the first grouping 102.Safety system 135 is in order to provide a plurality of proof rules.Safety system 135 can be an intruding detection system (Intrusion Detection System, IDS), a network-type intruding detection system (Network intrusion detection system, NIDS), the system of a network-type intrusion prevention system (Network Intrusion Prevention System, NIPS), a Web fire compartment wall (Web App Firewall), a fire compartment wall (Firewall) or other tool safeguard function.
Virtual machine administrator device 13, by the first network information on services of the first network service of reading the first operation system information of the first operating system 131 from its memory 13a and providing, offers safety system 135 and uses.Safety system 135 is according to the first operation system information or first network information on services, from these proof rule screening one first proof rule set.For example, when the first operation system information shows the first operating system, be microsoft operation system (Windows Server 2003), and first network information on services shows that this first network services package is when the E-mail service, safety system 135 from these proof rules screenings about microsoft operation system (Windows Server 2003) and further about the proof rule of E-mail service as the first proof rule set.Accordingly, when automatic network interface 11 receives the first grouping 102, virtual machine administrator device 13 can be used safety system 135 priori the first groupings 102.When safety system 135 judgement the first grouping 102 relevant to the first operating system 131 (the destination of the first grouping 102 transmission is the first operating system 131), apply mechanically first proof rule set checking the first grouping 102, but not apply mechanically whole proof rules.Particularly, if the checking of the first proof rule set is passed through in the first grouping 102, virtual machine administrator device 13 is about to the first grouping 102 for the first operating system 131; On the other hand, if when the first grouping 102 is not passed through the checking of the first proof rule set, filtering the first grouping 102, avoids 102 pairs of the first operating systems 131 of the first grouping to threaten.
In addition,, in other embodiment, the first service PORT COM number that virtual machine administrator device 13 also can first be used according to the first network service of recording in first network information on services, filters the first grouping 102.When 13 judgement the first groupings 102 of virtual machine administrator device relevant to the first operating system 131 (destination that the first grouping 102 transmits is the first operating system 131), and when the PORT COM that receives the first grouping 102 equals first service PORT COM number, re-use safety system 135 checking the first groupings 102.In other words, the virtual machine administrator device 13 of the present invention 135 pairs of groupings of safety system that can be used alone verify, or first by PORT COM number, grouping are filtered, and re-use 135 pairs of groupings of safety system and verify.
The information safety protection host machine 1 of fourth embodiment of the invention is as shown in Figure 4.Be different from the 3rd embodiment, in the 4th embodiment, network interface 11 also all receives the second grouping 104 from computer network 2, and the virtual machine administrator device 13 of information safety protection host machine 1 is also in order to move the second operating system 133.The second operating system 133 also provides a second network service, for example: any combination that comprises a web service, a file transfer protocol (FTP), an E-mail service and other network service.Similarly, the second operating system 133 can be a microsoft operation system, a class Unix operating system or other operating system that can provide services on the Internet.In the 4th embodiment, virtual machine administrator device 13 also, without the second service PORT COM number using according to the second network service of recording in second network information on services, filters the second grouping 104.
When virtual machine administrator device 13 operation the second operating system 133, because virtual machine administrator device 13 operation the second operating systems 133 also can be used memory 13a, therefore memory 13a will store the information relevant to the second operating system 133, for example: the second network information on services of the second operation system information of the second operating system 133 and the second network providing service.The second operation system information can be in order to represent that the second operating system 133 is a microsoft operation system, a class Unix operating system or other operating system, and second network information on services can be in order to represent that this second service may comprise any combination of a web service, a file transfer protocol (FTP), an E-mail service or other network service.
Virtual machine administrator device 13, by the second network information on services of the second network service of reading the second operation system information of the second operating system 131 from its memory 13a and providing, offers safety system 135 and uses.Safety system 135 is according to the second operation system information or second network information on services, from these proof rule screening one second proof rule set.For example, when the second operation system information shows the second operating system, be class Unix operating system, and when second network information on services shows this second network services package containing the service of web service and file transfer protocol (FTP), safety system 135 be from these proof rules screenings about class Unix operating system and further about the proof rule of web service and file transfer protocol (FTP) service as the second proof rule set.Accordingly, when network interface 11 receives the second grouping 104, virtual machine administrator device 13 can be used safety systems 135 checking the second groupings 104.When safety system 135 judgement the second grouping 104 relevant to the second operating system 133 (the destination of the second grouping 104 transmission is the second operating system 133), apply mechanically second proof rule set checking the second grouping 104, but not apply mechanically whole proof rules.Particularly, if the checking of the second proof rule set is passed through in the second grouping 104, virtual machine administrator device 13 is about to the second grouping 104 for the second operating system 133; On the other hand, if when the second grouping 104 is not passed through the checking of the second proof rule set, filtering the second grouping 104, avoids 104 pairs of the second operating systems 133 of the second grouping to threaten.
In addition,, in other embodiment, the second service PORT COM number that virtual machine administrator device 13 also can first be used according to the second network service of recording in second network information on services, filters the second grouping 104.When 13 judgement the second groupings 104 of virtual machine administrator device relevant to the second operating system 133 (destination that the second grouping 104 transmits is the second operating system 133), and when the PORT COM that receives the second grouping 104 equals second service PORT COM number, re-use safety system 135 checking the second groupings 104.
The information safety protection host machine 1 of fifth embodiment of the invention is as shown in Figure 3.Be different from the first embodiment, in the 5th embodiment, the virtual machine administrator device 13 of information safety protection host machine 1 is also in order to move a safety system 135.Safety system 135 is in order to provide a plurality of proof rules.Safety system 135 can be the system of an intruding detection system, a network-type intruding detection system, a network-type intrusion prevention system, a Web fire compartment wall, a fire compartment wall or other tool safeguard function.
After receiving the first grouping 102, virtual machine administrator device 13 is used safety system 135 checking the first groupings 102.Safety system 135 is applied mechanically whole proof rule checking the first groupings 102.When the first grouping 102 cannot be passed through a rule of these proof rules, virtual machine administrator device 13 is also according to the first operation system information or this first network information on services, judgement the first grouping 102 is relevant to the first operating system 131 and this rule is uncorrelated with the first operating system 131, with decision safety system 135, apply mechanically whole proof rule checking the first grouping 102 o'clock, whether produce the situation of erroneous judgement.Particularly, if when safety system 135 judgement the first groupings 102 do not meet this rule of these proof rules, send a warning.Virtual machine administrator device 13 is because warning, judge that this grouping (destination that first grouping 102 transmit be second operating system 131) relevant to the first operating system 131 and this rule are uncorrelated with the first operating system 131, for example: when the first operating system 131 is Windows Server 2003 operating systems, but this rule is not suitable for Windows Server 2003 operating systems, thus, virtual machine administrator device 13 can judge the erroneous judgement that is verified as that 135 pairs first of safety systems grouping 102 does.By this, can avoid safety system 135 to apply mechanically whole proof rules, checking the first grouping 102 o'clock, produces a false judgment.
The information safety protection host machine 1 of sixth embodiment of the invention also as shown in Figure 4.Be different from the 5th embodiment, in the 6th embodiment, network interface 11 also all receives the second grouping 104 from computer network 2, and the virtual machine administrator device 13 of information safety protection host machine 1 is also in order to move the second operating system 133.The second operating system 133 also provides a second network service, for example: any combination that comprises a web service, a file transfer protocol (FTP), an E-mail service and other network service.Similarly, the second operating system 133 can be a microsoft operation system, a class Unix operating system or other operating system that can provide services on the Internet.
When virtual machine administrator device 13 operation the second operating system 133, because virtual machine administrator device 13 operation the second operating systems 133 also can be used memory 13a, therefore memory 13a will store the information relevant to the second operating system 133, for example: the second network information on services of the second operation system information of the second operating system 133 and the second network providing service.The second operation system information can be in order to represent that the second operating system 133 is a microsoft operation system, a class Unix operating system or other operating system, and second network information on services can be in order to represent that this second service may comprise any combination of a web service, a file transfer protocol (FTP), an E-mail service or other network service.
After receiving the second grouping 104, virtual machine administrator device 13 is used safety system 135 checking the second groupings 104.Safety system 135 is applied mechanically whole proof rule checking the second groupings 104.When the second grouping 104 cannot be passed through a rule of these proof rules, virtual machine administrator device 13 is also according to the second operation system information or this second network information on services, judgement the second grouping 104 is relevant to the second operating system 133 and this rule is uncorrelated with the second operating system 133, to determine safety system 135, use whole proof rule checking the second grouping 104 o'clock, generation one false judgment.Particularly, if when safety system 135 judgement the second groupings 104 do not meet this rule of these proof rules, send a warning.Virtual machine administrator device 13 is because warning, judge that this grouping (destination that second grouping 104 transmit be second operating system 135) relevant to the second operating system 135 and this rule are uncorrelated with the second operating system 131, for example: when the second operating system 135 is class Unix operating system, but this rule is not suitable for class Unix operating system, thus, virtual machine administrator device 13 can judge the erroneous judgement that is verified as that 135 pairs second of safety systems grouping 104 does.By this, can avoid safety system 135 to use whole proof rules, checking the second grouping 104 o'clock, produces a false judgment.
At this, need special instruction, in the present embodiment, be that operating system and two network services separately that operating system provides of two of virtual machine administrator device 13 operations are described with " first " and " second ", and in other embodiment, virtual machine administrator device 13 can also move two above operating systems, and each operating system also provides various network services separately.In other words, when more than two operating system of virtual machine administrator device 13 operation, also can carry out technological means of the present invention.
From the above, the present invention system obtains the information of moved a plurality of different operating systems by the virtual machine administrator device of main frame from memory own, and make virtual machine administrator device itself according to different operating system or its network service providing, to filter the grouping that main frame receives by these information.In addition,, by these information, also can make the safety system of virtual machine administrator device operation filter out respectively the proof rule set that different operating system or its network service providing are provided in original a large amount of proof rule.Thus, can use the proof rule set checking grouping filtering out according to the corresponding operating system of grouping, to avoid using whole proof rule checking groupings.In addition, when safety system is divided into groups according to whole proof rule checkings, by these information, in the time of also can avoiding checking grouping, produce a false judgment.Accordingly, information safety protection host machine of the present invention can promote detection usefulness effectively, and reduces the situation that produces erroneous judgement.
The above embodiments are only used for exemplifying enforcement aspect of the present invention, and explain technical characterictic of the present invention, are not used for limiting protection category of the present invention.Any be familiar with this operator can unlabored change or the arrangement of isotropism all belong to the scope that the present invention advocates, the scope of the present invention should be as the criterion with claim.

Claims (20)

1. an information safety protection host machine, is characterized in that, comprises:
One network interface, is connected to a computer network, in order to receive one first grouping and one second grouping; And
One virtual machine administrator device, be connected to this network interface, in order to move one first operating system, one second operating system and a safety system, this first operating system provides a first network service, this second operating system provides a second network service, this safety system is in order to provide a plurality of proof rules, this virtual machine administrator device is also in order to provide in real time one first operation system information of this first operating system and a first network information on services of this first network service, and in order to one second operation system information of this second operating system and a second network information on services of this second network service to be provided in real time,
Wherein, this first network information on services comprises a first service PORT COM number, when this network interface receives this first grouping by a PORT COM, this virtual machine administrator device is more according to the first operation system information or this first network information on services, judge that this first grouping is relevant to this first operating system, and the PORT COM number of this PORT COM is not equal to this first service PORT COM number, with this first grouping of filtering;
Wherein, this second network information on services comprises a second service PORT COM number, when this network interface receives this second grouping by another PORT COM, this virtual machine administrator device is also according to the second operation system information or this second network information on services, judge that this second grouping is relevant to this second operating system, and the PORT COM number of this another PORT COM is not equal to this second service PORT COM number, with this second grouping of filtering;
Wherein, this virtual machine administrator device also provides this first operation system information and this first network information on services to this safety system in real time, so that this safety system is according to this first operation system information or this first network information on services, from these proof rule screening one first proof rule set, when this virtual machine administrator device is according to this first operation system information or this first network information on services, judge that this first grouping is relevant to this first operating system, and when the PORT COM number of this PORT COM equals this first service PORT COM number, this safety system judges that this first grouping is relevant to this first operating system, to apply mechanically this first proof rule set, verify this first grouping,
Wherein, this virtual machine administrator device also provides this second operation system information and this second network information on services to this safety system in real time, so that this safety system is according to this second operation system information or this second network information on services, from these proof rule screening one second proof rule set, when this virtual machine administrator device is according to this second operation system information or this second network information on services, judge that this second grouping is relevant to this second operating system, and when the PORT COM number of this another PORT COM equals this second service PORT COM number, this safety system judges that this second grouping is relevant to this second operating system, to apply mechanically this second proof rule set, verify this second grouping.
2. information safety protection host machine according to claim 1, it is characterized in that, this virtual machine administrator device also comprises a memory, when this virtual machine administrator device moves this first operating system, and this first operation system information of this memory storage and this first network information on services.
3. information safety protection host machine according to claim 1, is characterized in that, this first operation system information in order to represent this first operating system be a microsoft operation system and a class Unix operating system one of them.
4. information safety protection host machine according to claim 1, is characterized in that, this first network service is to be selected from following group: a web service, a file transfer protocol (FTP) and an E-mail service.
5. information safety protection host machine according to claim 1, it is characterized in that, this virtual machine administrator device also comprises a memory, when this virtual machine administrator device moves this second operating system, and this second operation system information of this memory storage and this second network information on services.
6. information safety protection host machine according to claim 1, is characterized in that, this second operation system information in order to represent this second operating system be a microsoft operation system and a class Unix operating system one of them.
7. information safety protection host machine according to claim 1, is characterized in that, this second network service is to be selected from following group: a web service, a file transfer protocol (FTP) and an E-mail service.
8. an information safety protection host machine, is characterized in that, comprises:
One network interface, is connected to a computer network, in order to receive one first grouping and one second grouping; And
One virtual machine administrator device, be connected to this network interface, in order to move one first operating system, one second operating system and a safety system, this first operating system provides a first network service, this second operating system provides a second network service, and this safety system is in order to provide a plurality of proof rules;
Wherein, this virtual machine administrator device also provides one first operation system information of this first operating system and a first network information on services of this first network service to this safety system in real time, so that this safety system is according to this first operation system information or this first network information on services, from these proof rule screening one first proof rule set, and judge that this first grouping is relevant to this first operating system, to apply mechanically this first proof rule set, verify this first grouping;
Wherein, this virtual machine administrator device is also in order to provide in real time one second operation system information of this second operating system and a second network information on services of this second network service to this safety system, so that this safety system is according to this second operation system information or this second network information on services, from these proof rule screening one second proof rule set, and judge that this second grouping is relevant to this second operating system, to apply mechanically this second proof rule set, verify this second grouping.
9. information safety protection host machine according to claim 8, it is characterized in that, this virtual machine administrator device also comprises a memory, when virtual machine administrator device moves this first operating system, and this first operation system information of this memory storage and this first network information on services.
10. information safety protection host machine according to claim 8, is characterized in that, this first operation system information in order to represent this first operating system be a microsoft operation system and a class Unix operating system one of them.
11. information safety protection host machines according to claim 8, is characterized in that, this first network service and this second network service are to be selected from respectively following group: a web service, a file transfer protocol (FTP) and an E-mail service.
12. information safety protection host machines according to claim 8, it is characterized in that, this virtual machine administrator device also comprises a memory, when this virtual machine administrator device moves this second operating system, this second operation system information of this memory storage and this second network information on services.
13. information safety protection host machines according to claim 8, is characterized in that, this second operation system information in order to represent this second operating system be a microsoft operation system and a class Unix operating system one of them.
14. 1 kinds of information safety protection host machines, is characterized in that, comprise:
One network interface, is connected to a computer network, in order to receive one first grouping and one second grouping; And
One virtual machine administrator device, be connected to this network interface, in order to move one first operating system, one second operating system and a safety system, this first operating system provides a first network service, this second operating system provides a second network service, this safety system is in order to provide a plurality of proof rules, with according to these proof rules, verify this first grouping and this second grouping, this virtual machine administrator device is also in order to provide in real time one first operation system information of this first operating system and a first network information on services of this first network service, and in order to one second operation system information of this second operating system and a second network information on services of this second network service to be provided in real time,
Wherein, when this first grouping cannot be passed through a rule of these proof rules, this virtual machine administrator device is also according to this first operation system information or this first network information on services, judge that this first grouping is relevant to this first operating system and this rule is uncorrelated with this first operating system, to avoid using this safety system according to these proof rules, while verifying this first grouping, produce a false judgment;
Wherein, when this second grouping cannot be passed through another rule of these proof rules, this virtual machine administrator device is also according to this second operation system information or this second network information on services, judge that this second grouping is relevant to this second operating system and this rule is uncorrelated with this second operating system, to avoid using this safety system according to these proof rules, while verifying this second grouping, produce another false judgment.
15. information safety protection host machines according to claim 14, it is characterized in that, this virtual machine administrator device also comprises a memory, when this virtual machine administrator device moves this first operating system, this first operation system information of this memory storage and this first network information on services.
16. information safety protection host machines according to claim 14, is characterized in that, this first operation system information in order to represent this first operating system be a microsoft operation system and a class Unix operating system one of them.
17. information safety protection host machines according to claim 14, is characterized in that, this first network service is to be selected from following group: a web service, a file transfer protocol (FTP) and an E-mail service.
18. information safety protection host machines according to claim 14, it is characterized in that, this virtual machine administrator device also comprises a memory, when this virtual machine administrator device moves this second operating system, this second operation system information of this memory storage and this second network information on services.
19. information safety protection host machines according to claim 14, is characterized in that, this second operation system information in order to represent this second operating system be a microsoft operation system and a class Unix operating system one of them.
20. information safety protection host machines according to claim 14, is characterized in that, this second network service is to be selected from following group: a web service, a file transfer protocol (FTP) and an E-mail service.
CN201010554245.0A 2010-11-11 2010-11-11 Information safety protection host machine Active CN102469098B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201010554245.0A CN102469098B (en) 2010-11-11 2010-11-11 Information safety protection host machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010554245.0A CN102469098B (en) 2010-11-11 2010-11-11 Information safety protection host machine

Publications (2)

Publication Number Publication Date
CN102469098A CN102469098A (en) 2012-05-23
CN102469098B true CN102469098B (en) 2014-08-20

Family

ID=46072272

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010554245.0A Active CN102469098B (en) 2010-11-11 2010-11-11 Information safety protection host machine

Country Status (1)

Country Link
CN (1) CN102469098B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685399B (en) * 2012-09-17 2018-03-23 腾讯科技(深圳)有限公司 A kind of methods, devices and systems for logging in class Unix virtual containers
CN103873439B (en) * 2012-12-11 2018-07-06 联想(北京)有限公司 The method and electronic equipment of a kind of networking
CN105516397B (en) * 2016-01-19 2019-06-11 深圳前海达闼云端智能科技有限公司 Method for accessing multiple operating system terminals into network and multiple operating system terminals
WO2018112862A1 (en) * 2016-12-22 2018-06-28 深圳前海达闼云端智能科技有限公司 Device detection method, system, electronic device, cloud robot system and computer program product
CN109558272A (en) * 2017-09-26 2019-04-02 北京国双科技有限公司 The fault recovery method and device of server
WO2021092809A1 (en) * 2019-11-13 2021-05-20 深圳市欢太科技有限公司 Function calling method and device, electronic device, and computer-readable medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1761252A (en) * 2005-11-03 2006-04-19 上海交通大学 Method for implementing experimental system of firewall under multiple user's remote concurrency control in large scale
CN101404580A (en) * 2008-11-07 2009-04-08 江苏科技大学 Data isolation method with self-checking ability

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1761252A (en) * 2005-11-03 2006-04-19 上海交通大学 Method for implementing experimental system of firewall under multiple user's remote concurrency control in large scale
CN101404580A (en) * 2008-11-07 2009-04-08 江苏科技大学 Data isolation method with self-checking ability

Also Published As

Publication number Publication date
CN102469098A (en) 2012-05-23

Similar Documents

Publication Publication Date Title
CN102469098B (en) Information safety protection host machine
TWI453624B (en) Information security protection host
JP5689333B2 (en) Abnormality detection system, abnormality detection device, abnormality detection method, program, and recording medium
CN102999716B (en) virtual machine monitoring system and method
JP3165366B2 (en) Network security system
CN108683652A (en) A kind of method and device of the processing attack of Behavior-based control permission
CN104570822A (en) Protection system, protection method and security composition device for an automate process control system (APCS)
CN101156156A (en) Remediating effects of an undesired application
CN104392175A (en) System and method and device for processing cloud application attack behaviors in cloud computing system
CN107659431A (en) Interface processing method, apparatus, storage medium and processor
KR20140118494A (en) Apparatus and method for detecting anomaly in a controller system
CN103441864A (en) Method for monitoring illegal external connection of terminal equipment
KR101068931B1 (en) Web Shell Monitoring System and Method based on Pattern Detection
CN112163198B (en) Host login security detection method, system, device and storage medium
CN105988905A (en) Exception processing method and apparatus
CN105849702A (en) Cluster system, server device, cluster system management method, and computer-readable recording medium
JP2011090429A (en) Integrated monitoring system
CN114625074A (en) Safety protection system and method for DCS (distributed control System) of thermal power generating unit
JP2005202664A (en) Unauthorized access integration correspondence system
KR101079036B1 (en) Apparatus and method of detecting anomaly in control system network
CN113852623B (en) Virus industrial control behavior detection method and device
EP2911362A2 (en) Method and system for detecting intrusion in networks and systems based on business-process specification
CN109472147A (en) A kind of safety detection method and device of virtual platform
CN113032787B (en) System vulnerability detection method and device
JP2018169643A (en) Security operation system, security operation management apparatus, and security operation method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant